WireGuard + Cilium IP Range Conflict Troubleshooting
Date#
2026-03-29
Problem#
External WireGuard VPN connections stopped working after migrating to Cilium (eBPF).
Symptoms#
ping 10.0.0.1failing from an external network (hotspot) — 100% packet lossssh grgb-vpnunreachable- Everything worked fine from the home network
Root Cause Analysis#
Diagnosis step 1: tcpdump#
sudo tcpdump -i enp3s0 udp port 51820 -n
# Result: 0 packets — packets never reached the server
Initially suspected a router/ISP issue, but…
Diagnosis step 2: Check Cilium configuration#
kubectl -n kube-system get cm cilium-config -o yaml | grep cluster-pool
# cluster-pool-ipv4-cidr: 10.0.0.0/8
Diagnosis step 3: Check routing table#
ip route | grep 10.0.0
# 10.0.0.0/24 via 10.0.0.224 dev cilium_host
Root cause#
- Cilium claimed the entire
10.0.0.0/8range as its cluster network - WireGuard was also using
10.0.0.0/24 - IP range conflict: Cilium was routing WireGuard traffic to
cilium_host
Fix#
Change WireGuard network range#
10.0.0.0/24 → 172.30.0.0/24 (a private IP range that doesn’t overlap with Cilium)
Modified files#
1. Server WireGuard config#
File: /etc/wireguard/wg0.conf
[Interface]
PrivateKey = (redacted)
Address = 172.30.0.1/24 # changed
ListenPort = 51820
[Peer]
# Update AllowedIPs for each peer
AllowedIPs = 172.30.0.X/32
sudo systemctl restart wg-quick@wg0
2. Server SSH access#
File: /etc/hosts.allow
sshd: 127.0.0.1 124.49.102.36 39.119.192.15 122.34.166.131 192.168.45. 10.0.0. 172.30.0.
- Added
172.30.0.(allow new subnet in TCP Wrappers)
3. Client WireGuard config (MacBook)#
Updated in WireGuard app:
[Interface]
PrivateKey = (redacted)
Address = 172.30.0.3/24 # changed
DNS = 1.1.1.1
[Peer]
PublicKey = (redacted)
AllowedIPs = 172.30.0.0/24, 192.168.0.0/24 # changed
Endpoint = 39.119.192.15:51820
PersistentKeepalive = 25
4. SSH config#
File: ~/.ssh/config
Host grgb-vpn
HostName 172.30.0.1 # changed
User grgb-wonny
IdentityFile ~/.ssh/keys/personal/mini_rsa
IP Assignment Table#
| Peer | Old IP | New IP |
|---|---|---|
| Server (mini-gmk) | 10.0.0.1 | 172.30.0.1 |
| MacBook (EbIZ) | 10.0.0.2 | 172.30.0.2 |
| grgb-wonny | 10.0.0.3 | 172.30.0.3 |
| grgb-rhuba | 10.0.0.4 | 172.30.0.4 |
| grgb-chamchi | 10.0.0.5 | 172.30.0.5 |
| mini-might (worker) | 10.0.0.11 | 172.30.0.11 |
Team Member Config Updates Required#
Each team member needs to update their WireGuard config:
- Change
Address(10.0.0.X → 172.30.0.X) - Change
AllowedIPs(10.0.0.0/24 → 172.30.0.0/24)
Lessons Learned#
- Always check existing network ranges before installing Cilium
- Watch for conflicts between
cluster-pool-ipv4-cidrand existing VPN/private network ranges - The
172.16.0.0/12range doesn’t conflict with Cilium’s default configuration
Related Commands#
# Check Cilium cluster pool
kubectl -n kube-system get cm cilium-config -o yaml | grep cluster-pool
# Check routing table
ip route | grep 10.0.0
# Check WireGuard status
sudo wg show
# Check SSH access denial logs
sudo journalctl -u ssh -n 20